SAP Cyber Threat Intelligence report – November 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

The recent patch update consists of 16 patches with the majority of them rated medium.

The most common vulnerability types are Implementation Flaw and Denial of Service.

SAP Security Notes – November 2018

SAP has released the monthly critical patch update for November 2018. This patch update closes 16 SAP Security Notes (12 SAP Patch Day Notes and 4 Support Package Notes ). 4 of the patches are updates to previously released Security Notes.

The number of released patches is progressively decreasing.

Below is a chart illustrating the SAP security notes distribution by priority.

SAP Security Notes Distribution by Priority (June – November 2018)

This month, two types of security issues prevalent. Implementation Flaw and Denial of Service are the largest groups in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – November 2018

28% of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows:

Affected Platforms – November 2018

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in November

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

2681280: SAP HANA Streaming Analytics has a Security vulnerability in Spring Framework (CVSS Base Score: 9.9CVE-2018-1270CVE-2018-1275). An attacker can use a Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with a same privileges of a service that executed a command. An attacker can access to arbitrary files and directories located in a SAP server file system including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
Install this SAP Security Note to prevent the risks.

2691126: SAP Fiori Client has multiple vulnerabilities (DoS, HTML Injection, Missing Authorization Check) (CVSS Base Score: 8.6CVE- 2018-2485CVE-2018-2488CVE-2018-2491CVE-2018-2489CVE-2018-2490)
An attacker can use multiple vulnerabilities and exploit one of the listed or mix them together.
An attacker can use a Denial of service vulnerability to terminate a process of vulnerable component, and nobody would use this service. Missing authorization check vulnerability can be used for accessing a service without authorization procedures and for employing service functionality with restricted access that can lead to information disclosure or attacks like privilege escalation. Cross-site scripting vulnerability allows injecting a malicious script into a page.
Reflected XSS feature refers to tricking a user who would follow a malicious link. In case of stored XSS, malicious script is injected and permanently stored in a page body,so that user would be attacked without performing any actions. The malicious script can access critical information that are stored by browser (including all cookies, session tokens, etc.) and used for interacting with a site. An attacker can gain access to user’s session and see all business-critical information or even get control over it. XSS can be used for unauthorized modifying of displayed site content.Install this SAP Security Note to prevent the risks.

2657670: Web Intelligence Richclient 3 Tiers Mode has a Denial of service (DOS) vulnerability (CVSS Base Score: 7.7CVE-2018-2473 ). An attacker can use a Denial of service vulnerability for terminating a process of avulnerable component, and nobody would use this service. This fact negatively influences business processes, system downtime and business reputation as a result.
Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.